The enrichment of incidents is critical in reducing the effort involved in incident management. IP addresses, domains or file (hashes) are automatically checked against known malicious activity, Geo IP information is added, and incident entities are cross-referenced against threat intelligence data. Furthermore, whitelists are taken into consideration, and other information such as whether a specific entity is a High Value Asset or whether a user has set an out-of-office notification in Outlook is gathered. The result is a calculated risk score for each incident (which is the basis for automated triage) and a summary providing the user with a notification about the incident. All the questions that an SOC Analyst would ask are answered, improving the efficiency of the investigation.
The Essential plan includes:
The Enhanced and Enterprise plan include:
Once the enrichment has taken place and a risk score has been calculated, automated triage and (if necessary) notification are performed.